1

Constraint Problems in

Program Analysis

from the sublime to the ridiculous

Alex AikenStanford University

2

Focus

• Techniques used by– Type and program analysis communities– Other than SAT

• Warning: Personal biases ahead . . .

3

Topics

• Different notions of solving

• Algorithmics and engineering

• Solving vs. entailment

• Open problems

4

What’s Different

• NP-Hard problems:SOLVE(F) = one solution

• PTIME problems:SOLVE(F) = all solutions

5

Example: Unification

a int inta

!

! !

a int

°

!

!

!

¯ ¯ Represents all solutions.

=

6

Comments

• A single representation for all solutions

• A great deal of sharing among the solutions

• Characteristic of PTIME techniques– Intuitively, this must be the case– Exponential number of incomparable solutions

requires more than PTIME• But see uses of BDD’s . . .

7

Why is This Useful?

F(a) {………return b

}

a

¯

constraints C

Conclude:

F: a! ¯ where C

8

Why is This Useful?

F(a) { … return b }

G(x) { … F(i) … }H(y) { … F(j) … }I(z) { … F(k) … }

• F: a! ¯ where C

• If all solutions of C have a compact representation, solve C once, reuse at each call site

• If solutions are not compactly representable, better to reanalyze F in each calling context

9

Two Styles of Analysis

• Whole program– Entire program needed for analysis of any piece

• Compositional– Can analyze partial or “open” programs

(libraries)

• Intimately connected to solving complexity– Leads to very different engineering issues– This is poorly understood today

10

Algorithms and Engineering

• Algorithms: PTIME is good enough

• Engineering: linear space is essential– Must also be close to linear time– These algorithms are applied at large scales– Linux kernel 6.2MLOC

11

Set Constraints (a fragment)

• Set expressions:

E ::= X | c(E1,...,En)

• Set constraints:

Æ Ej1 µ Ej2j

12

Applications

• Pointer analysis• Subtyping systems• Soft typing• Context-free reachability• Multiple reachability properties

– A context free and any regular properties• …

13

Constraints as Graphs

a b U V

c c

X YConstraints:Graph:

c(a,b) X

c(U,V)Y

µ

X Yµ

µ

Rewrite rules:

E1 µ X µ E2 ) E1 µ E2

c(E1,...,En) µ c(E1’,...En’) ) Æ Ei µ Ei’

14

Solutions

• Solution size is potentially O(n2)– May be the complete graph

• Solution time is O(n3)– Each of O(n2) edges may be added in O(n) ways

• A major engineering issue– 1996: analyze 5 KLOC– 2002: analyze 6MLOC

• now in production compilers

15

Optimization: Cycle Elimination

• Variables in a cycle are all equivalentX1 µ X2 … µ Xn µ X1

• Optimization: collapse them into one variable

…

S S

S S

S

16

Discussion

• Good techniques for cycle-elimination known– Does not change worst-case complexity– But makes 100X time difference

• Specific algorithmic/implementation techniques are critical to the success of decision procedures– Even “cheap” ones– Support for such research is important

17

Entailment

• Often want to know: Does C imply some constraint(s) C’?

• Is every solution of C a solution of C’?– Entailment– Validity (does C imply true?)

• Important for– Queries (can I perform this optimization?)– Presentation (simplification of constraints)

18

Is there an Issue?

• Consider SAT solving

• Satisfiability: NP-complete• Validity: CoNP-complete

• But we use the same implementation for both– Just need to know if there are 0 or > 0 solutions

19

The Issue

• For low complexity techniques entailment often very different from satisfiability

• Example: Conditional equality constraints

¿1 · ¿2 , ¿1 = ? Ç ¿1 = ¿2

20

Conditional Equality Constraints

• Solving– Near linear time

• Entailment– Quadratic

• Completely different algorithms– And different engineering– Big difference between linear and super-

linear . . .– . . . see previous discussion

21

Open Problems (Theory)

• The “cubic-time” set constraint fragment– Entailment is in NEXPTIME– Entailment is PSPACE-Hard

• Non-structural subtype entailment– Entailment is PSPACE-Hard– Decidability is open– First-order fragment is undecidable

• With 3 quantifier alternations

22

An Open Problem? (Engineering)

• Integer programming– NP-complete– Huge topic in analysis of software

• Parallelization, resource allocation, understanding arrays …

• ConsiderMinimize x subject to 3x+3y=4

• What do ILP solvers do?– Answer: LP-based solvers diverge. Why?

23

Combining Theories

• Many applications use multiple kinds of constraints– And there are many such constraint theories

• Need good ways of combining theories– More than Nelson-Oppen

24

Topics

• Different notions of solving

• Algorithmics and engineering

• Solving vs. entailment

• Open problems